Skip to content
Permalink
Browse files Browse the repository at this point in the history
Remove XSS vulnerability on the main page
Before there was no protection stopping users from submitting their own HTML including JavaScript functions. This could allow attackers to steal sensitive information like session cookies, or just to deface the page by changing page-wide CSS rules.
  • Loading branch information
Taiiwo committed Feb 8, 2015
1 parent f7daf31 commit ba2f71a
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions js/roomElement.js
Expand Up @@ -18,6 +18,8 @@
};

RoomElement.prototype.render = function () {
// HTML escape the subject before it is posted to the main page
this.options.subject = $('<div/>').text(this.options.subject).html();
this.$el.html(this.template(this.options));

this.$el.find('.tooltip-top').tooltipster({
Expand Down

0 comments on commit ba2f71a

Please sign in to comment.